Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...?ctl=register fails to point to custom page?ctl=register fails to point to custom page
Previous
 
Next
New Post
5/13/2014 6:28 PM
 
Robert Flynn

Joined: 3/29/2007
Posts: 42

Using DNN 7.2.2 with Data Springs Dynamic Registration.  Noticed that the http://www.mywebsite.com/default.aspx... still points to the default registration creating a security hole!

The thread:  http://www.dnnsoftware.com/forums/for...

mentioned that they had a similar problem with DNN 5.6.7.

They used a workaround of setting the portal to "none" in Site Settings->"User Account Settings".

Is there a better way?

Isn't the ctl=register supposed to point to the custom page set in Site Settings->Advanced Settings->Registration Page ?

 Thanks Ahead of Time!

Previous thread copy below:

Hello - I've searched for over an hour now trying to find out if there is a way to either disable the default registration process or add captcha to it so that we can block a number of attempts that are trying to create accounts on our site.

I'm not looking to simply change the default registration process to my customized registration page (we have a registration page that connects with the Data Springs modules and that works great).

My problem is that even though we have a normal process for registration that is "secure" - hackers or junk mailers can still try to create accounts in the system by hitting the generic registration page \register.aspx or by adding the ?ctl=register to the URL.

This registration page does not have captcha and while new accounts don't have security to get into our other pages that are for validated users - it creates a flood of junk accounts in the system.

Seems like this must be a common issue and probably some sort of easy fix but I can't seem to find this information anywhere.

Thanks in advance

 

Hello Chris - thanks for the reply.

We are on DNN V 5.6.7 and yes under the site Admin settings the registration is pointing to our custom page that has not been broken into - we are assuming that the Captcha has defended these bulk attempts.

We seem to be set now as we have redirected the page that is hit via /register.aspx to our custom page and have turned off the general registration by changing the setting from "public" to "none".  This seems to have fixed the back door that would be open if someone tried to put in ?ctl=register at the end of a URL string.

All good, or so it seems, from here and posting this so that others might find value.
Do appreciate the response with your questions.
-Clyde.
 
New Post
5/14/2014 12:47 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
you can enable captcha easily enough - http://www.dnnsoftware.com/help#Docum... . However my impression was that if a page was set as a custom registration page that ?ctl=Register would redirect to that. If this is not the case please log it to support.dnnsoftware.com
Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
5/20/2014 12:17 PM
 
Robert Flynn

Joined: 3/29/2007
Posts: 42
Sadly, I received a promise of help from Navin Nagiah, CEO, DNNSoftware that never materialized.

Happily the folks at Data Springs showed me the work-around.

The original problem was that: ?ctl=register would not point to the custom registration page set in site settings. Instead it points to the default registration page. This allows hackers/pranksters to create bogus accounts ad nauseum..

Set the Site Settings->User Account Settings->User Registration to: "None"

This of course requires that you have a custom registration system that does not require the "core functions."
 
New Post
5/20/2014 4:21 PM
 
G R


Joined: 8/4/2011
Posts: 39
I had the same issue, I fixed it using the request filtering.

If you are using IIS 7, you can turn on the request filtering and add the following code in web.config.

<    system.webServer    >
    <    security>
        <    requestFiltering>
            <    denyQueryStringSequences>
                <    add sequence="ctl" />
            </    denyQueryStringSequences>
        </    requestFiltering>
    </    security>
</    system.webServer   > 

 

This will deny the querystring "?ctl=register"
 
New Post
5/21/2014 5:45 PM
 
Robert Flynn

Joined: 3/29/2007
Posts: 42

I enabled "request filters" in Host Settings->Other Settings->Enable Request Filters

I added the code to <system.webserver>:

<security>
    <requestFiltering>
         <denyQueryStringSequences>
              <add sequence="ctl" />
        </denyQueryStringSequences>
    </requestFiltering>
</security>
!!!!! Notice the space between add and sequence in the <add sequence="ctl" />

Otherwise you get an error when the site tries to load:-)

Thanks for the help!!!!:-)
 
 Page 1 of 4
1234Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...?ctl=register fails to point to custom page?ctl=register fails to point to custom page


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out